Add an indicator that an extension has been processed.

ok jsing@

Randomize the order of TLS extensions

On creation of an SSL using SSL_new(), randomize the order in which the
extensions will be sent. There are several constraints: the PSK extension
must always come last. The order cannot be randomized on a per-message
basis as the strict interpretation of the standard chosen in the CH hashing
doesn't allow changing the order between first and second ClientHello.

Another constraint is that the current code calls callbacks directly on
parsing an extension, which means that the order callbacks are called
depends on the order in which the peer sent the extensions. This results
in breaking apache-httpd setups using virtual hosts with full ranomization
because virtual hosts don't work if the SNI is unknown at the time the
ALPN callback is called. So for the time being, we ensure that SNI always
precedes ALPN to avoid issues until this issue is fixed.

This is based on an idea by David Benjamin
https://boringssl-review.googlesource.com/c/boringssl/+/48045

Input & ok jsing

Make tlsext_*_{build,needs,parse}() functions static

None of these functions are used outside of ssl_tlsext.c. The only reason
they are prototyped in the header is for the use of tlsexttest.c. Rather
than having a big pile of useless copy-paste in the header, we can adapt
the test to avoid using these functions directly.

ok jsing

Factor out ALPN extension format check

The ALPN extension must contain a non-empty list of protocol names.
Split a check of this out of tlsext_alpn_server_parse() so that it
can be reused elsewhere in the library.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Add stubbed out handlers for the pre_shared_key extension

ok jsing

Implement handlers for the psk_key_exchange_modes extensions.

ok jsing

Improve SNI hostname validation.

For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.

Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).

ok inoguchi@ tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Randomize the order of TLS extensions

On creation of an SSL using SSL_new(), randomize the order in which the
extensions will be sent. There are several constraints: the PSK extension
must always come last. The order cannot be randomized on a per-message
basis as the strict interpretation of the standard chosen in the CH hashing
doesn't allow changing the order between first and second ClientHello.

Another constraint is that the current code calls callbacks directly on
parsing an extension, which means that the order callbacks are called
depends on the order in which the peer sent the extensions. This results
in breaking apache-httpd setups using virtual hosts with full ranomization
because virtual hosts don't work if the SNI is unknown at the time the
ALPN callback is called. So for the time being, we ensure that SNI always
precedes ALPN to avoid issues until this issue is fixed.

This is based on an idea by David Benjamin
https://boringssl-review.googlesource.com/c/boringssl/+/48045

Input & ok jsing

Make tlsext_*_{build,needs,parse}() functions static

None of these functions are used outside of ssl_tlsext.c. The only reason
they are prototyped in the header is for the use of tlsexttest.c. Rather
than having a big pile of useless copy-paste in the header, we can adapt
the test to avoid using these functions directly.

ok jsing

Factor out ALPN extension format check

The ALPN extension must contain a non-empty list of protocol names.
Split a check of this out of tlsext_alpn_server_parse() so that it
can be reused elsewhere in the library.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Add stubbed out handlers for the pre_shared_key extension

ok jsing

Implement handlers for the psk_key_exchange_modes extensions.

ok jsing

Improve SNI hostname validation.

For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.

Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).

ok inoguchi@ tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Make tlsext_*_{build,needs,parse}() functions static

None of these functions are used outside of ssl_tlsext.c. The only reason
they are prototyped in the header is for the use of tlsexttest.c. Rather
than having a big pile of useless copy-paste in the header, we can adapt
the test to avoid using these functions directly.

ok jsing

Factor out ALPN extension format check

The ALPN extension must contain a non-empty list of protocol names.
Split a check of this out of tlsext_alpn_server_parse() so that it
can be reused elsewhere in the library.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Add stubbed out handlers for the pre_shared_key extension

ok jsing

Implement handlers for the psk_key_exchange_modes extensions.

ok jsing

Improve SNI hostname validation.

For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.

Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).

ok inoguchi@ tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Factor out ALPN extension format check

The ALPN extension must contain a non-empty list of protocol names.
Split a check of this out of tlsext_alpn_server_parse() so that it
can be reused elsewhere in the library.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Add stubbed out handlers for the pre_shared_key extension

ok jsing

Implement handlers for the psk_key_exchange_modes extensions.

ok jsing

Improve SNI hostname validation.

For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.

Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).

ok inoguchi@ tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Add stubbed out handlers for the pre_shared_key extension

ok jsing

Implement handlers for the psk_key_exchange_modes extensions.

ok jsing

Improve SNI hostname validation.

For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.

Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).

ok inoguchi@ tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Add stubbed out handlers for the pre_shared_key extension

ok jsing

Implement handlers for the psk_key_exchange_modes extensions.

ok jsing

Improve SNI hostname validation.

For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.

Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).

ok inoguchi@ tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Improve SNI hostname validation.

For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.

Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).

ok inoguchi@ tb@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into
.data.rel.ro and .rodata respectively.

ok tb@ jsing@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Make the message type available to the extension functions

Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.

This approach was suggested a while ago by jsing.

ok beck jsing

Improve argument order for the internal tlsext API

Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.

requested by jsing

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Enforce that SNI hostnames be correct as per rfc 6066 and 5980.
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.

ok tb@`

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Correct value for SSL_TLSEXT_MSG_HRR.

ok beck@ tb@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Add tls_extension_seen(), a utility to know if a particular extension
has been seen in the handshake so far. Use it for keyshare.
ok tb@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Add server side of versions, keyshare, and client and server of cookie
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@

revert previous, accidentally contained another diff in addition
to the one I intended to commit

Modify sigalgs extension processing for TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

copyright

Add client side of supported versions and keyshare extensions with basic regress
ok jsing@

Rename TLS extension handling to use less "hello".

When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.

Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:

clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse

ok beck@ tb@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@

Start rewriting TLS extension handling.

Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.

Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.

Discussed with beck@

ok inoguchi@

Add header guards and hidden declarations.

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Complete the TLS extension rewrite on the client-side.

The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.

This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.

ok beck@

Complete the TLS extension handling rewrite for the server-side.

This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.

The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).

ok inoguchi@

Rewrite SRTP extension using CBB/CBS and the new extension framework.

input + ok beck@, jsing@

Rewrite ALPN extension using CBB/CBS and the new extension framework.

ok bcook@ beck@
input + ok jsing@

Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@

Convert TLS signature algorithms extension handling to the new framework.

ok beck@ doug@

Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.

ok jsing@ beck@

Rewrite EllipticCurves TLS extension handling using CBB/CBS and the new
extension framework.

input + ok jsing@

Add doug@'s copyright since he just added code to these two files.

Rewrite the ECPointFormats TLS extension handling using CBB/CBS and the
new extension framework.

input + ok jsing@

Rewrite the TLS Renegotiation Indication extension handling using CBB/CBS
and the new extension framework.

Feedback from doug@

ok inoguchi@